MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Gafgyt


Vendor detections: 9


Intelligence 9 IOCs YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471
SHA3-384 hash: a575bbdc0c1c053117d05d2a42b1ec295b61aed8136e33718d40c22420be250be47a041057b295021031da658fc27c5f
SHA1 hash: 8872cccf4cfe65381ec53cebf811e1b8e7d11cd5
MD5 hash: 202fafde5b2c6cd0b2548109a608c775
humanhash: ack-floor-zebra-south
File name:bins.sh
Download: download sample
Signature Gafgyt
Create hunting rule
File size:2'014 bytes
First seen:2025-02-03 08:31:23 UTC
Last seen:Never
File type: sh
MIME type:text/x-shellscript
ssdeep 48:BX6axX8GwXKGwFxUquLBXAsSXZ1wGGKmX6q/XXz4CZsiCvXs6OXObpJenJ+XoG1Y:BXnX0XzlXEXQXZXXz7qtvXGXcXhXULzR
TLSH T18F415EDD41928906D1D6BA0CF677CE948CCCEACB70898AD9ED486C79781DD08787EE40
Magika shell
Reporter abuse_ch
Tags:gafgyt sh
URLMalware sample (SHA256 hash)SignatureTags
http://103.130.214.198/jackmymipse88b9e4bf263da826ab1092a2ca78c8c44443daa77ba60f3665843196dd75b31 Miraielf gafgyt mirai
http://103.130.214.198/jackmymipselebff2d3d7e12ee71ad7bf63c2a6790f068dff22755e394c4291d2e12e247bced Gafgytelf gafgyt
http://103.130.214.198/jackmysh41d270c64fc23a0c44fcdd08acd254c380a319299dc92b7759965baa37e0b0015 Gafgytelf gafgyt mirai
http://103.130.214.198/jackmyx868877ce055688f8cf77a1ef610b4eae5dc7ec7bb42fc7fb4f87514570039c18e1 Miraielf gafgyt mirai
http://103.130.214.198/jackmyarmv6000a61bda7deb777f50d33a4157c19af75bf6ba5ef378400f85fdc2c3c5f98c0 Gafgytelf gafgyt
http://103.130.214.198/jackmyi686a73322db71130be3321de46089b5ff02180f81ef74ced56be48dfbdd84beb6d8 Gafgytelf gafgyt
http://103.130.214.198/jackmypowerpcaee015f99b6ef72bdf5760c5df68ea912b210c2ea6b60449053b7f5d07d2ac88 Gafgytelf gafgyt
http://103.130.214.198/jackmyi58669647111ada35fe7ecbcf98db0bb9c247a2ed15f7d327d76509c987b7625d5dc Miraielf gafgyt mirai
http://103.130.214.198/jackmym86k841ca3173f0eee4920d42cb45cdc5787e0973af886b7f840fce566b7fea97f8f Gafgytelf gafgyt
http://103.130.214.198/jackmysparc12ddfbb33d1a468c86d7a040f4138cb76624925c04b58b89abb53062f380b697 Gafgytelf gafgyt
http://103.130.214.198/jackmyarmv4a6083fb02112a07f1e808d8a5e2132aab3e2df5030dfd7ce4bf5576cb8d722e5 Gafgytelf gafgyt
http://103.130.214.198/jackmyarmv50d20db4935b078b06b8b941df541a7e9c0449d2ce65f39fbdaa268acd2be5bef Gafgytelf gafgyt
http://103.130.214.198/jackmypowerpc4400d20db4935b078b06b8b941df541a7e9c0449d2ce65f39fbdaa268acd2be5bef Gafgytelf

Intelligence

File Origin
# of uploads :
1
# of downloads :
99
Origin country :
DE DE
Vendor Threat Intelligence
Verdict:
Malicious
Score:
96.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=67a07f122dcee78dd81928c1linux22vpnfull_triage
Tags:
mirai virus
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
evasive lolbin remote
Link:
https://www.filescan.io/uploads/67a07f100218eb7de8c23afd/reports/825b29b1-7358-400b-b479-553046cd9c6e/overview
Result
Verdict:
MALICIOUS
Score:
99%
Verdict:
Malware
File Type:
SCRIPT
Link:
https://malprob.io/report/4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471/
Threat name:
Script-Shell.Trojan.Geninst
Create hunting rule
Status:
Malicious
First seen:
2025-02-03 07:15:01 UTC
File Type:
Text (Shell)
AV detection:
11 of 24 (45.83%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=jfulvaawoqlw5hihyvhnedyztqjd5tr4braif3rvup7u27xaaryq._file
Result
Malware family:
gafgyt
Create hunting rule
Score:
  10/10
Tags:
family:gafgyt antivm botnet defense_evasion discovery linux
Link:
https://tria.ge/reports/250203-kfcmpswmav/
Behaviour
Reads runtime system information
System Network Configuration Discovery
Checks CPU configuration
File and Directory Permissions Modification
Executes dropped EXE
Detected Gafgyt variant
Gafgyt family
Gafgyt/Bashlite
Malware Config
C2 Extraction:
185.237.15.131:666
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_202412_suspect_bash_script
Create hunting rule
Author:abuse.ch
Description:Detects suspicious Linux bash scripts

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Gafgyt

sh 4968ba801674176e9d07c54ed20f199c123ece3c0c4082ee35a3ff4d7ee00471

(this sample)

Gafgyt

elf b0ec23f3a680be657e03be5bf279c1f99f12ee356f05bbefd2b562cb92c78d3a

  
URLhaus
https://urlhaus.abuse.ch/url/3425178/
  
Delivery method
Distributed via web download
  
Dropping
MD5 f07907753da39138058eefc527185ac0
  
Dropping
SHA256 b0ec23f3a680be657e03be5bf279c1f99f12ee356f05bbefd2b562cb92c78d3a

Comments